SINGAPORE — Singapore’s Marina Bay Sands (MBS) has been fined S$315,000 (RM1.1 million) by the Personal Data Protection Commission (PDPC) after a data breach exposed the personal details of more than 665,000 patrons.

According to AsiaOne, the PDPC said in a statement that the October 2023 breach involved the unauthorised access and exfiltration of data, including names and contact details of MBS patrons. 

The information was later found being offered for sale on the dark web.

The PDPC said such leaks could be exploited for phishing scams or identity theft, adding that the fine was determined under its revised Financial Penalty Framework.

Investigations found that MBS failed to take reasonable security measures during a large-scale software migration in March 2023.

“It is necessary to ensure that security policies are applied when properly migrating from old software to new, including data access rights,” the PDPC said.

In this instance, a flaw in the ArtScience Friends webpage — part of the ArtScience Museum’s membership programme — left a missing identifier that opened the door for hackers to retrieve patron data.